Re: Callback functions higher up in the stack than X509_STORE_set_verify_cb?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 04, 2020 at 10:25:44AM +0200, Ander Juaristi wrote:

> /* Check the OCSP response here */
> ocsp_stap_length = SSL_get_tlsext_status_ocsp_resp(ssl, &ocsp_resp);
> 
> certs = SSL_get_peer_cert_chain(ssl);

Side comment, if you end up sticking with post-handshake validation you
probably want: SSL_get0_verified_chain(3) rather than
SSL_get_peer_cert_chain(3).

A better early hook into SSL cert chain verification is:

    SSL_CTX_set_cert_verify_callback(3)

which you can you use to wrap X509_verify_cert(3) and do some
post-processing after the verified chain is constructed.  But
this likely fires before the OCSP extension from the server
is processed.

> I was wondering if a hook point exists that would allow me to do this 
> just before ChangeCipherSpec is sent by the client,
> as, at that point, all the information should already be available.

You're looking for: SSL_CTX_set_tlsext_status_cb(3).

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux